[jboss-jira] [JBoss JIRA] (SECURITY-882) Fix for SECURITY-868 breaks flush-cache capability
RH Bugzilla Integration (JIRA)
issues at jboss.org
Wed Oct 21 16:12:00 EDT 2015
[ https://issues.jboss.org/browse/SECURITY-882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
RH Bugzilla Integration updated SECURITY-882:
---------------------------------------------
Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1219778, https://bugzilla.redhat.com/show_bug.cgi?id=1230308, https://bugzilla.redhat.com/show_bug.cgi?id=1274071 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1219778, https://bugzilla.redhat.com/show_bug.cgi?id=1230308)
> Fix for SECURITY-868 breaks flush-cache capability
> --------------------------------------------------
>
> Key: SECURITY-882
> URL: https://issues.jboss.org/browse/SECURITY-882
> Project: PicketBox
> Issue Type: Bug
> Components: AS-Integration
> Affects Versions: PicketBox_4_0_19.Final
> Environment: EAP 6.3.3, JDV 6.1.0
> Reporter: Hisanobu Okuda
> Assignee: Stefan Guilhen
>
> The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list